Blimp: add support for SSL connections.

blimp/net/exact_match_cert_verifier.cc

Index: blimp/net/exact_match_cert_verifier.cc
diff --git a/blimp/net/exact_match_cert_verifier.cc b/blimp/net/exact_match_cert_verifier.cc
new file mode 100644
index 0000000000000000000000000000000000000000..f2cd4bacb4711f51f6e5d9271a7ec1e45b6841bb
--- /dev/null
+++ b/blimp/net/exact_match_cert_verifier.cc
@@ -0,0 +1,54 @@
+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "blimp/net/exact_match_cert_verifier.h"
+
+#include "base/callback.h"
+#include "base/macros.h"
+#include "base/memory/scoped_ptr.h"
+#include "net/base/net_errors.h"
+#include "net/cert/cert_verifier.h"
+#include "net/cert/cert_verify_result.h"
+#include "net/cert/x509_certificate.h"
+
+namespace blimp {
+
+ExactMatchCertVerifier::ExactMatchCertVerifier(
+    scoped_refptr<net::X509Certificate> engine_cert)
+    : engine_cert_(std::move(engine_cert)) {}
+
+ExactMatchCertVerifier::~ExactMatchCertVerifier() {}
+
+int ExactMatchCertVerifier::Verify(net::X509Certificate* cert,
+                                   const std::string& hostname,
+                                   const std::string& ocsp_response,
+                                   int flags,
+                                   net::CRLSet* crl_set,
+                                   net::CertVerifyResult* verify_result,
+                                   const net::CompletionCallback& callback,
+                                   scoped_ptr<Request>* out_req,
+                                   const net::BoundNetLog& net_log) {
+  verify_result->Reset();
+  verify_result->verified_cert = cert;
+
+  if (!cert->Equals(engine_cert_.get())) {

[Ryan Sleevi, 2016/02/25 22:16:25]

One thing worth noting: X509Certificate::Equals only compares the leaf cert, not
any intermediates.

In thinking through this, I suspect you want to change line 39 to

verify_result->verified_cert = engine_cert_;

That way you're always saying you verified against the canonical config and not
arbitrary (unrelated) intermediates.

(hopefully that makes sense)

[Kevin M, 2016/02/26 00:30:04]

Yep, that makes sense. Done.

+    verify_result->cert_status = net::CERT_STATUS_INVALID;
+    return net::ERR_CERT_INVALID;
+  }
+
+  // Attach hashes of |cert| to VerifyResult.
+  net::SHA1HashValue sha1_hash;
+  sha1_hash =
+      net::X509Certificate::CalculateFingerprint(cert->os_cert_handle());
+  verify_result->public_key_hashes.push_back(net::HashValue(sha1_hash));
+
+  net::SHA256HashValue sha256_hash;
+  sha256_hash =
+      net::X509Certificate::CalculateFingerprint256(cert->os_cert_handle());
+  verify_result->public_key_hashes.push_back(net::HashValue(sha256_hash));

[Ryan Sleevi, 2016/02/25 22:16:25]

FWIW, since |cert->os_cert_handle()| will always be the same as |engine_cert_|,
you could totes precompute these and store them next to engine_cert_

e.g. in the ctor

engine_cert_hashes_ = ...;

and then here

verify_result->public_key_hashes = engine_cert_hashes_;

[Kevin M, 2016/02/26 00:30:04]

Done.

+
+  return net::OK;
+}
+
+}  // namespace blimp